Bug #5881
closed
CVE-2014-3491 - XSS from create/update/destroy notification boxes
Description
possible XSS: Configure -> Host groups - key name with HTML evaluated when submitted
How reproducible:
always
Steps to Reproduce:
1. In webUI go to Configure -> Host groups -> New Host groups
2. Fill in this:
Name: test<script>alert('HI')</script>
Click "Submit" to create the hostgroup
3. Note that parameter name is correctly escaped in the parameters listActual results:
Once the hostgroup is SUBMITED, JavaScript alert window appears (script gets executed)
Expected results:
Submit button should not execute javascript
Files
Updated by Dominic Cleal almost 11 years ago
This appears to be coming from the popup notifications in the UI that appear when creating/updating/deleting resources. I suppose one user could create a resource with such a name and then another user could try editing or deleting it to execute the script, but when creating, a user is only going to be able to attach themselves.
The host group name is also formatted strangely in the host groups list, may be worth checking out at the same time.
(I've also seen this when deleting config groups and templates, it's a problem generally with the process_success type notifications.)
Updated by Joseph Magen almost 11 years ago
- Status changed from New to Assigned
Rails automatic escapes/sanitizes text strings when saving to the db, so this is the reason of the "strange formatting"
I emailed patch.
Updated by Dominic Cleal almost 11 years ago
Please just attach the patch for review here, thanks.
Updated by Dominic Cleal almost 11 years ago
- File 0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch added
- Assignee set to Joseph Magen
Attached is the v1 patch.
Works well, though could we escape the HTML rather than sanitizing it? Just so the actual name fully shows up.
I looked into the index name display, it's just a bug in the ancestry_helper, pretty sure it's harmless. I'll file another bug once this is unembargoed.
Updated by Joseph Magen almost 11 years ago
- File 0002-fixes-5881-XSS-from-create-update-destroy-notificati.patch 0002-fixes-5881-XSS-from-create-update-destroy-notificati.patch added
- Status changed from Assigned to Ready For Testing
new patch attached that uses CGI::escapeHTML rather than ActionController::Base.helpers.sanitize
Updated by Dominic Cleal almost 11 years ago
- Status changed from Ready For Testing to Pending
ACK, thanks Joseph!
Updated by Dominic Cleal almost 11 years ago
- File 0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch added
- File 0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch 0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch added
Updated patch to fix tests, backported to 1.4-stable.
Updated by Joseph Magen almost 11 years ago
- Status changed from Pending to Closed
- % Done changed from 0 to 100
Applied in changeset 983075c0c0e95c0d4715591325e88c90c7f09d71.
Updated by Dominic Cleal almost 11 years ago
Fixes committed to 1.4-stable, 1.5-stable and develop.
Foreman 1.4.5 and 1.5.1 releases will be made today with the fix.